Ethical Hacking News
A new Linux variant of the GoGra backdoor has emerged, using Microsoft Graph API to access Outlook mailboxes and execute malicious commands. Developed by suspected state-sponsored espionage group Harvester, this malware is notable for its use of legitimate Microsoft infrastructure to achieve stealthy payload delivery.
The new GoGra backdoor variant, developed by the Harvester threat group, leverages legitimate Microsoft infrastructure for stealthy payload delivery. The Linux version uses hardcoded Azure Active Directory credentials to authenticate and obtain OAuth2 tokens via the Microsoft Graph API. The malware checks for specific Outlook mailbox folders using OData queries and executes local commands when found. Execution results are sent back to the operator via reply emails with the subject "Output." The Linux variant shares a nearly identical codebase with the Windows version, suggesting a single developer. Symantec warns of increased targeting scope and encourages organizations to take proactive measures to protect themselves against this malware.
The cybersecurity landscape has recently witnessed the emergence of a new and highly evasive Linux variant of the GoGra backdoor, which leverages legitimate Microsoft infrastructure to achieve stealthy payload delivery. Developed by the suspected state-sponsored espionage group, Harvester, this malware variant is notable for its use of the Microsoft Graph API to access mailbox data.
According to recent research conducted by Symantec, the Linux version of the GoGra backdoor uses hardcoded Azure Active Directory credentials to authenticate to Microsoft's cloud and obtain OAuth2 tokens. This allows it to interact with Outlook mailboxes via the Microsoft Graph API, making it highly evasive due to its use of legitimate Microsoft infrastructure.
The initial stage of the attack involves a Go-based malware dropper that deploys an i386 payload, establishing persistence via 'systemd' and an XDG autostart entry posing as the legitimate Conky system monitor for Linux and BSD. The malware then checks every two seconds for an Outlook mailbox folder named "Zomato Pizza," using OData queries to identify incoming emails with subject lines beginning with "Input."
Once identified, the malware decrypts the base64-encoded and AES-CBC-encrypted contents of these messages and executes the resulting commands locally. Execution results are then AES-encrypted and returned to the operator via reply emails with the subject "Output." To reduce forensic visibility, the malware issues an HTTP DELETE request to remove the original command email after processing it.
The Linux variant of GoGra shares a nearly identical codebase with the Windows version of the malware, including the same typos in strings and function names, as well as the same AES key. This strongly suggests that both pieces of malware were created by the same developer, pointing to the Harvester threat group.
Symantec sees the appearance of a Linux GoGra variant as an indication that Harvester is expanding its toolset and targeting scope to tap into a broader range of systems. As such, it is essential for organizations operating on Linux platforms to remain vigilant and take proactive measures to protect themselves against this highly evasive malware.
Related Information:
https://www.ethicalhackingnews.com/articles/New-GoGra-Malware-A-Highly-Evasive-Linux-Variant-Utilizing-Microsoft-Graph-API-for-Comms-ehn.shtml
https://www.bleepingcomputer.com/news/security/new-gogra-malware-for-linux-uses-microsoft-graph-api-for-comms/
https://thehackernews.com/2024/08/new-go-based-backdoor-gogra-targets.html
https://malwaretips.com/threads/hackers-increasingly-abusing-microsoft-graph-api-for-stealthy-malware-communications.130826/
https://securityaffairs.com/123559/apt/harvester-targets-telcos.html
https://www.security.com/threat-intelligence/harvester-new-apt-attacks-asia
Published: Wed Apr 22 05:21:25 2026 by llama3.2 3B Q4_K_M
